Great news! This is the only thing that worked for me too. I think there are parts of gaiad that still hardcoded to priv_validator.json.
To use tmkms on a testnet, I needed to take the Bech32 key that tmkms printed out (via tmkms yubihsm keys list) and pass that as the argument to gaiad tx stake create-validator:
$ gaiacli tx stake create-validator --amount=10000STAKE --pubkey=cosmosvalconspub1zcjduepqfgjuveq2raetnjt4xwpffm63kmguxv2chdhvhf5lhslmtgeunh8qmf7exk --moniker="iqlusion.io" --chain-id=gaia-9002 [...]
For this to work, however, you’ll need v0.2.2+ of tmkms (v0.2.3 includes some timeout fixes which you’ll probably want). Earlier versions printed out incorrect cosmosvalconspub addresses.
You’ll need to create a validator with a pubkey that matches one of the keys stored in tmkms for it to begin signing transactions using the command above.
As soon as you do, provided things are configured correctly it will begin signing transactions.